Bug 2215507 - Listing /var with details (ls -l /var) leads to missing permissions printing on some directories
Summary: Listing /var with details (ls -l /var) leads to missing permissions printing ...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: selinux-policy
Version: 9.0
Hardware: All
OS: All
low
low
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 2216151
TreeView+ depends on / blocked
 
Reported: 2023-06-16 09:24 UTC by Welterlen Benoit
Modified: 2023-08-16 06:44 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-38.1.20-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2216151 (view as bug list)
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-160053 0 None None None 2023-06-16 09:26:51 UTC

Description Welterlen Benoit 2023-06-16 09:24:59 UTC 
Description of problem:

With MLS policy and running in staff_r role, listing /var with details (ls -l /var) leads to missing permissions printing on some directories /var/account, /var/crash and /var/yp:

---
# id -Z
root:staff_r:staff_t:s0-s15:c0.c1023

# ls -l /var
ls: cannot access '/var/yp': Permission denied
ls: cannot access '/var/crash': Permission denied
ls: cannot access '/var/account': Permission denied
total 16
d??????????  ? ?    ?       ?            ? account
drwxr-xr-x.  2 root root    6 Aug 10  2021 adm
drwxr-xr-x. 18 root root 4096 Jan 27 10:15 cache
d??????????  ? ?    ?       ?            ? crash
drwxr-xr-x.  3 root root   18 Jan 27 10:01 db
drwxr-xr-x.  2 root root    6 Aug 10  2021 empty
drwxr-xr-x.  2 root root    6 Aug 10  2021 ftp
drwxr-xr-x.  2 root root    6 Aug 10  2021 games
drwxr-xr-x.  3 root root   18 Jan 27 10:01 kerberos
drwxr-xr-x. 59 root root 4096 Feb  6 10:06 lib
drwxr-xr-x.  2 root root    6 Aug 10  2021 local
lrwxrwxrwx.  1 root root   11 Jan 27 10:00 lock -> ../run/lock
drwxr-xr-x. 15 root root 4096 Feb  5 21:32 log
lrwxrwxrwx.  1 root root   10 Aug 10  2021 mail -> spool/mail
drwxr-xr-x.  2 root root    6 Aug 10  2021 nis
drwxr-xr-x.  2 root root    6 Aug 10  2021 opt
drwxr-xr-x.  2 root root    6 Aug 10  2021 preserve
lrwxrwxrwx.  1 root root    6 Jan 27 10:00 run -> ../run
drwxr-xr-x. 10 root root  106 Jan 27 10:03 spool
drwxrwxrwt.  7 root root 4096 Jun 16 11:02 tmp
d??????????  ? ?    ?       ?            ? yp
---

- if we disable the dontaudit rules, we can see the AVC:

---
type=AVC msg=audit(1686904726.400:201): avc:  denied  { getattr } for  pid=1502 comm="ls" path="/var/yp" dev="dm-0" ino=33839460 scontext=root:staff_r:staff_t:s0-s15:c0.c1023 tcontext=system_u:object_r:var_yp_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1686904726.400:201): arch=c000003e syscall=332 success=yes exit=0 a0=ffffff9c a1=7fff8c839a20 a2=100 a3=25e items=0 ppid=1464 pid=1502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="ls" exe="/usr/bin/ls" subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=statx AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1686904726.400:201): proctitle=6C73002D2D636F6C6F723D6175746F002D6C002F766172
type=AVC msg=audit(1686904726.400:202): avc:  denied  { getattr } for  pid=1502 comm="ls" path="/var/crash" dev="dm-0" ino=35114033 scontext=root:staff_r:staff_t:s0-s15:c0.c1023 tcontext=system_u:object_r:kdump_crash_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1686904726.400:202): arch=c000003e syscall=332 success=yes exit=0 a0=ffffff9c a1=7fff8c839a10 a2=100 a3=25e items=0 ppid=1464 pid=1502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="ls" exe="/usr/bin/ls" subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=statx AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1686904726.400:202): proctitle=6C73002D2D636F6C6F723D6175746F002D6C002F766172
type=AVC msg=audit(1686904726.400:203): avc:  denied  { getattr } for  pid=1502 comm="ls" path="/var/account" dev="dm-0" ino=51226390 scontext=root:staff_r:staff_t:s0-s15:c0.c1023 tcontext=system_u:object_r:acct_data_t:s0 tclass=dir permissive=1
type=SYSCALL msg=audit(1686904726.400:203): arch=c000003e syscall=332 success=yes exit=0 a0=ffffff9c a1=7fff8c839a10 a2=100 a3=25e items=0 ppid=1464 pid=1502 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="ls" exe="/usr/bin/ls" subj=root:staff_r:staff_t:s0-s15:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=statx AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1686904726.400:203): proctitle=6C73002D2D636F6C6F723D6175746F002D6C002F766172
---

- From the policy, staff_t is not allowed to getattr for these dir:

---
$ sesearch -A -s staff_t -p getattr -c dir -t acct_data_t
<...>

$ sesearch -A -s staff_t -p getattr -c dir -t httpd_sys_content_t
<...>

$ sesearch -A -s staff_t -p getattr -c dir -t kdump_crash_t
<...>

$ sesearch -A -s staff_t -p getattr -c dir -t var_yp_t
allow nsswitch_domain var_yp_t:dir { getattr ioctl lock open read search }; [ nis_enabled ]:True
---

- Is there a reason to have this deny for staff_r ?

Version-Release number of selected component (if applicable):
selinux-policy-mls-34.1.29-1.el9_0.2.noarch
RHEL9

How reproducible:
always

Steps to Reproduce:
1. enable MLS
2. ls -l /var
3.

Actual results:
Directory attributes are not printed.


Expected results:
Details on directories

Additional info:
Comment 1 Zdenek Pytela 2023-08-04 20:54:27 UTC 
Commit to backport:
af31eedaf Allow user_u and staff_u get attributes of non-security dirs
Note You need to log in before you can comment on or make changes to this bug.